Thread: [mod-security-users] Forum reply being blocked by mod_security
Brought to you by:
victorhora,
zimmerletw
From: <ret...@gm...> - 2012-05-22 12:18:09
|
I'm not getting very far with the software developers so I'm now appealing to the experts here to find a solution to my problem. It appears mod_security is triggering on the word nmap within a forum post, preventing replies to the thread. Link is here: http://www.globalaffairs.org/forum/threads/nmap-6-released.68912/ The mod_security log shows the following: Access denied with code 501 (phase 2). Pattern match "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)| t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd| ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)| d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}? ..." at REQUEST_HEADERS:X-Ajax-Referer. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "149"] [id "959006"] [msg "System Command Injection"] [data "/nmap-"] [severity "CRITICAL"] [tag "WEB_ATTACK/COMMAND_INJECTION"] This is the first time I've run across this, but it seems to be a common occurrence with the Xen Foro software package. If a post contains a key word as defined in the mod_security rules, replying to the thread is prevented. Personally, I feel this is a software issue with Xen Foro. But I'm covering all my bases in my search for a fix. |
From: Josh Amishav-Z. <ja...@gm...> - 2012-05-22 12:35:02
|
On Tue, May 22, 2012 at 3:17 PM, <ret...@gm...> wrote: > I'm not getting very far with the software developers so I'm now appealing > to the experts here to find a solution to my problem. > > It appears mod_security is triggering on the word nmap within a forum > post, preventing replies to the thread. Link is here: > http://www.globalaffairs.org/forum/threads/nmap-6-released.68912/ > > The mod_security log shows the following: > > Access denied with code 501 (phase 2). Pattern match > "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}? > ..." at REQUEST_HEADERS:X-Ajax-Referer. [file > "/usr/local/apache/conf/modsec2.user.conf"] [line "149"] [id "959006"] [msg > "System Command Injection"] [data "/nmap-"] [severity "CRITICAL"] [tag > "WEB_ATTACK/COMMAND_INJECTION"] > > Hi, It might be better to post this on the CRS mailing list, as the problem your having is due to a false positive in the core rule set. In any case, there are a few ways you can whitelist this rule from firing, depending on which version of ModSecurity your running. For details take a look at: http://blog.spiderlabs.com/2011/08/modsecurity-advanced-topic-of-the-week-exception-handling.html -- - Josh > This is the first time I've run across this, but it seems to be a common > occurrence with the Xen Foro software package. If a post contains a key > word as defined in the mod_security rules, replying to the thread is > prevented. > > Personally, I feel this is a software issue with Xen Foro. But I'm > covering all my bases in my search for a fix. > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > > |
From: Ryan B. <RBa...@tr...> - 2012-05-22 12:37:23
|
From: "ret...@gm...<mailto:ret...@gm...>" <ret...@gm...<mailto:ret...@gm...>> Date: Tue, 22 May 2012 07:17:57 -0500 To: "mod...@li...<mailto:mod...@li...>" <mod...@li...<mailto:mod...@li...>> Subject: [mod-security-users] Forum reply being blocked by mod_security I'm not getting very far with the software developers so I'm now appealing to the experts here to find a solution to my problem. It appears mod_security is triggering on the word nmap within a forum post, preventing replies to the thread. Link is here: http://www.globalaffairs.org/forum/threads/nmap-6-released.68912/ The mod_security log shows the following: Access denied with code 501 (phase 2). Pattern match "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\\\/]|\\W*?\\.\\.)|hmod.{0,40}? ..." at REQUEST_HEADERS:X-Ajax-Referer. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "149"] [id "959006"] [msg "System Command Injection"] [data "/nmap-"] [severity "CRITICAL"] [tag "WEB_ATTACK/COMMAND_INJECTION"] This is the first time I've run across this, but it seems to be a common occurrence with the Xen Foro software package. If a post contains a key word as defined in the mod_security rules, replying to the thread is prevented. Personally, I feel this is a software issue with Xen Foro. But I'm covering all my bases in my search for a fix. What CRS rules version are you using? You might want to upgrade - https://sourceforge.net/projects/mod-security/files/modsecurity-crs/0-CURRENT/ The false positive is matching data in the REQUEST_HEADERS:X-Ajax-Referer data. The rule you are using is probably already excluding the normal Referer field like this - REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:'/^(Cookie|Referer|X-OS-Prefs)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES … What version of ModSecurity are you using? If it is v2.6 you can use SecRuleUpdateTargetsById to prevent that variable from being inspected by that rule like this - SecRuleUpdateTargetsById 959006 "!REQUEST_HEADERS:X-Ajax-Referer" Hope this helps, Ryan ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |